By using the `resource_type` service, an attacker could
cause puppet to load arbitrary Ruby files from the puppet
master node's file system. While this behavior is not
enabled by default, `auth.conf` settings could be modified
to allow it. The exploit requires local file system access
to the Puppet Master.

Puppet Module Tool (PMT) did not correctly control
permissions of modules it installed, instead transferring
permissions that existed when the module was built.

When making REST api calls, the puppet master takes YAML from an
untrusted client, deserializes it, and then calls methods on the
resulting object. A YAML payload can be crafted to cause the
deserialization to construct an instance of any class available in
the ruby process, which allows an attacker to execute code
contained in the payload.

A vulnerability found in Puppet could allow an authenticated client
to cause the master to execute arbitrary code while responding to a
catalog request. Specifically, in order to exploit the
vulnerability, the puppet master must be made to invoke the
'template' or 'inline_template' functions during catalog compilation.

A vulnerability found in Puppet could allow an authenticated client
to connect to a puppet master and perform unauthorized actions.
Specifically, given a valid certificate and private key, an agent
could retrieve catalogs from the master that it is not authorized
to access or it could poison the puppet master's caches for any
puppet-generated data that supports caching such as catalogs,
nodes, facts, and resources. The extent and severity of this
vulnerability varies depending on the specific configuration of the
master: for example, whether it is using storeconfigs or not, which
version, whether it has access to the cache or not, etc.

A vulnerability has been found in Puppet which could allow
authenticated clients to execute arbitrary code on agents that have
been configured to accept kick connections. This vulnerability is
not present in the default configuration of puppet agents, but if
they have been configured to listen for incoming connections
('listen=true'), and the agent's auth.conf has been configured to
allow access to the `run` REST endpoint, then a client could
construct an HTTP request which could execute arbitrary code. The
severity of this issue is exacerbated by the fact that puppet
agents typically run as root.

A vulnerability has been found in Puppet that could allow a client
negotiating a connection to a master to downgrade the master's
SSL protocol to SSLv2. This protocol has been found to contain
design weaknesses. This issue only affects systems running older
versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
SSLv2.

A vulnerability found in Puppet could allow unauthenticated clients
to send requests to the puppet master which would cause it to load
code unsafely. While there are no reported exploits, this
vulnerability could cause issues like those described in Rails
CVE-2013-0156. This vulnerability only affects puppet masters
running Ruby 1.9.3 and higher.

This vulnerability affects puppet masters 0.25.0 and above. By
default, auth.conf allows any authenticated node to submit a report
for any other node. This can cause issues with compliance. The
defaults in auth.conf have been changed.